11 Things Entrepreneurs Need To Know About SSL Certificates

SSL stands for Secure Sockets Layer. When your browser is communicating with SSL technology, the SSL protocol will encrypt the communication connection between the web browser and web server.

When encrypted, private information can safely be transmitted between the two without fear of tampering, forgery, or eavesdropping.

TLS or Transport Level Security v1.0 is the modern continuation of SSL v3.0. The most current version of TLS at the time of this writing is TLS v1.2. The terms TLS and SSL can, at times, be used interchangeably.

SSL uses a pair of certificates, one public and one private, so users can identify who they are communicating with and establish a secure connection.

A special thanks to our friends at Snitch, who worry about your SSL certificates so you don’t have to, have helped us with understanding SSL Certificates (a must for any entrepreneur) with the following 11 points:

1. SSL Certificates Can Be Signed or Self-Signed

An SSL certificate is only as trustworthy as the person or organization who signs it. Usually, a trusted third party called a “Certificate Authority” signs certificates used on public sites.

If the certificate is self-signed, and the user agrees to communicate with a server with a self-signed certificate, then that user is relying on the owner of the web site to vouch for themselves.

2. A Certificate Authority Can Vouch for Anyone

To provide some level of trust to an SSL certificate, you need to have a third party vouch for you, or the owner of a website, or more specifically, the owner of the SSL certificate.

This is the job of a certificate authority or CA. Provided you trust the CA, you can trust they’ll only vouch for legitimate companies. Thus, by association, you can trust certificates they sign.

3. Browsers Include a list of Trusted Root Certificates

When you install a browser on your machine, part of the installation is a set of trusted CA, or “root”, certificates. Then, when that browser sees a certificate for a new web site, it will check to see who signed the certificate.

If it is signed by someone in its list of trusted CA certificates, the browser will trust the new certificate, since it trusts the signer. If it is signed by anyone else, it will follow the chain of signers. If the root certificate is trusted, again the new certificate is, too.

4. A Secure Site Seal Identifies a Business

When a site uses a certificate from a trusted CA, that site can show a Secure Site Seal, linked to that authority.

This allows the user of the site to click on the seal to see what the certification authority authenticated. There are different levels of certificates that CAs can distribute.

5. A Domain Validated SSL Certificate Provides Little Authentication

The cheapest, and weakest, is what is known as a domain validated (DV) certificate. All the certification authority has to verify is that the requester has the right to use the domain, but they claim nothing about who the owner of the domain is.

6. An Organization Validated Certificate Adds Company Authentication

When using an Organization Validated (OV) certificate, it means the CA has authenticated who the company is.

The company must provide paperwork to the CA showing not only that they have the right to a domain like a DV, but also that they are who they are claiming to be.

With a DV certificate, anybody can claim to be Coca Cola. With an OV one, you can’t. The general trend is away from OV certificates and towards DV and EV certificates.

7. Extended Validation Certificates Provide the Most Trust

An Extended Validation (EV) certificate requires the CA to go beyond what you can think of as whois validation to provide a higher level of trust behind an SSL certificate.

Newer browsers will show not only a padlock showing secure communication but an actual green background for the URL in the toolbar.

8. Wildcard Certificates Provide Subdomain Support

When you request a certificate, you specify for what domain it will protect.

If you want to protect all the subdomains of a site, you would get a wildcard certificate. Thus a certificate for example.com could also be used with mail.example.com, www.example.com, and just example.com, among many others.

9. Multi-domain Certificates Offer a Company the Broadest Options

When a company requests a multi-domain certificate, it allows the company to only have to validate themselves once for the CA and protect up to 210 domains.

You would be able to protect example.com, example.net, example.org, foobar.com, mycompany.me, etc., all with one certificate.

10. Shared Certificates Might Be Available

If you are renting web space from a reseller, they may have what you can consider a shared certificate.

This would provide you with secure access to the dashboard for your site, but you would not be able to use it for e-commerce on your site.

11. Certificate Revocation

Most modern browsers, with the exception of Google Chrome, check the revocation status of a certificate upon the first request to a secured site.

Commonly, this check is done using the OCSP protocol and will verify the certificate by making a request to the signing CA.

This can introduce latency during this first request, so site operators have the option of configuring OCSP “stapling” where the server powering a site will “pre-fetch” the OCSP response and “staple” it along with the first response.